Domain Fronting

Domain fronting is a technique that enables web traffic to circumvent network sensors that may otherwise alert on or block traffic to the desired domain by masking the sketchy domain, and appearing as if it is destined for a trusted domain. This technique can be employed for a variety of reasons, such as to bypass network rules that block access your favorite porn site at work, or for an adversary to mask C2 communications passing across your enterprise. This works by specifying different domains at different layers within the traffic encapsulation for HTTPS. The fronted (trusted) domain specified in this technique must also host multiple domains behind a front end web server, including user-managed servers and content (such as Google App Engine and Amazon CloudFront).

As some background, in an HTTPS request, the destination domain is contained in 3 relevant areas: the DNS request, the Host in the HTTP header, and in the TLS SNI extension. SNI (Server Name Indication) is an extension of the TLS protocol to allow a single server to present multiple certificates for the same IP, so that the server can host many different websites without requiring all of those sites to use the same certificate in order to be secure. In most requests, all 3 of these areas contain the same domain, but in the instance of a domain fronting request, the HTTP Host (the true destination) will be different than the SNI and DNS request domain. Because the DNS and SNI portions of this communication are sent in the clear and the HTTP header is encrypted after the initial TLS handshake, the only domain that any network sensor will be able to detect is the DNS and SNI domains, while the HTTP host is invisible to these sensors (unless of course you are performing full SSL inspection). This is able to happen because the fronting domain, which hosts multiple certificates for various other domains being managed, will be very helpful and forward traffic appropriately to the host specified in the HTTP header.

In other words, It's like saying that you want to send your drug dealer $100 dollars in the mail. The feds are onto you, and watch all of your mail going out to make sure you aren't sending your drug dealer money. Let's also assume that your drug dealer lives in a crappy apartment building downtown with sirens going off and dogs barking in the middle of the night. So, instead of addressing your envelope to Mr. Dealer, apt. 306, Shitty Apartments, you address it to the the front desk of the apartment building's parent company, Luxury Apartments. Luxury Apartments receives this envelope, opens it up, and sees that it is addressed to Mr. Drug Dealer. Luxury Apartments sees that Mr. Dealer lives in their Shitty Apartments subsidiary, and being the helpful apartment complex they are, forwards that $100 off to Mr. Dealer's actual address. Mr. Dealer receives the money, and is happy that he doesn't have to bust your knee caps. The cops are also happy because all they saw was you sending a normal piece of mail to the trustworthy Luxury Apartments, and nobody is the wiser.